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DETAILED ACTION 

1. Claims 1-31 have been examined. 

Specification 

2. In search for an interpretation of "a nested VPN connection" the examiner 
encountered the phrase: "for a number of VPN connections such as nested 
connections and nested confections with coincident local endpoints" (The 
specification, pg. 10 lines 11-12). Applicant should verify that the used word 
"confections" is correct and if it is the examiner requests providing the 
interpretation of the term. 

Drawings 

3. On page 15 lines 7-8 applicant discusses Fig. 2 as a prior art, reciting: "In 
previous systems, a connection arrangement such as that depicted in Fig. 2 
posed numerous problems". However, Fig. 2 has no prior art associated with 
it. The Fig. 2 should be replaced with the figure labeled as prior art or 
applicant should clarify why the figure does not read on prior art. 

4. Corrected drawing sheets are required in reply to the Office action to avoid 
abandonment of the application. Any amended replacement drawing sheet 
should include all of the figures appearing on the immediate prior version of 
the sheet, even if only one figure is being amended. The figure or figure 
number of an amended drawing should not be labeled as "amended." If a 
drawing figure is to be canceled, the appropriate figure must be removed from 
the replacement sheet, and where necessary, the remaining figures must be 
renumbered and appropriate changes made to the brief description of the 
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several views of the drawings for consistency. Additional replacement sheets 
may be necessary to show the renumbering of the remaining figures. The 
replacement sheet(s) should be labeled "Replacement Sheet" in the page 
header (as per 37 CFR 1 .84(c)) so as not to obstruct any portion of the 
drawing figures. If the changes are not accepted by the examiner, the 
applicant will be notified and informed of any required corrective action in the 
next Office action. The objection to the drawings will not be held in abeyance. 

Claim Objections 

5. The phrase: "wherein the refreshing IKE traffic is secured" (claim 6) should 
read "wherein the refreshed IKE traffic is secured". 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 1-31 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject 
matter that applicant regards as the invention. 

7. Claims 1-31 recite: "IKE traffic". The term is not understood. IKE is a hybrid 
protocol, combining parts of other protocols (e.g. ISAKMP, Oakley and 
SKEMI). It is not clear whether applicant using the "IKE traffic" term refers to 
the traffic that requires that each part of IKE is present, whether any part of 
these protocols must be present within the "traffic", whether applicant refers to 
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the traffic that is initiated using simply the idea of IKE's establishing a secure, 
authenticated channel upon which security association is negotiated or 
whether an other interpretation of the term should be exercised. 

8. Claims 5, 8-9, 12, 14-15, 18-20, 22, 28 and 31 recite the term "outside", e.g. 
"outside of a particular VPN connection". The term is not understood. 

9. The specification discloses the term "outside" on pg. 3 line 1 1 , pg. 5 lines 1 , 9, 
pg. 6 line 8, pg. 4 line 7, pg. 1 4 line 1 4 and 22, and pg. 1 8 line 4 and 1 1 . 

10. However, the specification does not clearly indicate how this term should be 
treated. For instance in light of the phrase "the nested VPN connection must 
travel outside of the nested VPN connection yet inside of the outer VPN 
connection" (pg. 3 lines 12) the "outside" could be interpreted as the 
connection C2 between nodes 32 and 32 (Fig. 2), which "extends" over 
extension C1. 

1 1 . However, the citation on pg. 18: "Since the IKE traffic pertains to connection 
C2, IKE traffic management system 30 will guide the response IKE traffic 
outside of connection C2 in the proper security format" (lines 2-4) makes the 
above interpretation uncertain. 

12. Also, the specification discusses the C2 and C1 connection in light of Fig. 3 
wherein C2's entries in columns 58 and 64 (in contrast to the prior art) is 
changed, and perhaps this change identifies an "outside" connection. 

13. Applicant should clarify the term but for purposes of further examination the 
phrase is treated as best understood. 



Application/Control Number: 10/058,954 Page 5 

Art Unit: 2134 

14. Claims 5-6, 12 and 28-29 recite the phrase: "refreshing IKE traffic". It is not 
clear whether "refreshing" constitutes new data sent from a sender to a 
receiver or if it must involve the whole set of IKE transactions, e.g. the new 
key exchange. 

1 5. The term: "outer VPN connection" in claims 1 0, 1 7-20 and 22-23 is not 
understood. 

16. In claims 7-8, 11,18-19, 20, 22-23 and 31 the phrase: "nested VPN 
connection" is not clear, especially since in claim 8 applicant recites: "a 
nested VPN connection outside of the nested VPN connection". In computer 
science nested transactions are transactions that take place within a larger 
transaction. 

17. For purposes of further examination the term: "a nested VPN connection" is 
treated as a VPN connection that is originated by another VPN connection. 

18. Claim 8 recites: "a nested VPN connection outside of the nested VPN 
connection". There is no other "nested VPN connection" introduced in the 
claims on which claim 8 depends. As a result the statement essentially 
requires that an object be outside of itself. The limitation is not understood. 

19. The phrase: "replacing the potential VPN connection with the nested VPN 
connection" in claim 23 is not understood. The language suggests that "the 
potential VPN connection" exists due to the placing of "a potential nested 
VPN connection entry in a table". As a result "updating the table by replacing 
the potential VPN connection entry with the nested VPN connection entry" 
would seem to be more appropriate language. 



Application/Control Number: 10/058,954 
Art Unit: 2134 



Page 6 



In other words the examiner understands applicant's intention that a table 
consists of entries that represent a connection (as also cited in claim 23) and 
not actual (or potential) VPN connections. Applicant should correct the issues 
in claim 23, or otherwise clarify it. 

20. Claim 1 7 recites establishing security associations for an outer VPN 
connection and claim 18 further limits claim. 17 reciting that "IKE traffic 
pertaining to the outer VPN connection is guided outside of the outer VPN 
connection". Although claim 17 does not explicitly teach establishing "the 
outer VPN connection" the examiner understands that "establishing security 
associations" is equivalent to establishing "a VPN connection" (e.g. an outer 
VPN connection). 

21 . For purposes of further examination the phrase is treated as best understood; 
however, appropriate correction/clarification is required 

Claim Rejections - 35 USC § 102 or 103 

The following is a quotation of the appropriate paragraphs of 35 

U.S.C. 102 that form the basis for the rejections under this section made in this 

Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent or 
(2) a patent granted on an application for patent by another filed in the United States before 
the invention by the applicant for patent, except that an international application filed under 
the treaty defined in section 351 (a) shall have the effects for purposes of this subsection of an 
application filed in the United States only if the international application designated the United 
States and was published under Article 21 (2) of such treaty in the English language. 
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The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

22. Claims 1 and 27 are rejected under 35 U.S.C. 102(e) as anticipated by or, in 
the alternative, under 35 U.S.C. 103(a) as obvious over Ylonen et al. (U.S. 
Patent No. 6438612). 

23. As per claims 1 and 27 Ylonen etal. teach data communication using IKE and 
VPN (col.5 line 56-col. 6 line 25). This reads on: "an IKE traffic management 
system for managing the IKE traffic through VPN connections" 

24. Ylonen et al. do not explicitly teach "a filter detection system for searching for 
IKE traffic permit filters" and "an IKE traffic enablement system for 
automatically allowing IKE traffic to flow if the IKE traffic permit filters are not 
detected". 

25. However, Ylonen et al. discloses that the invention includes firewalls (col. 5 
lines 42-45), and it is old and well-known practice to use firewalls to utilize 
firewall traffic permit filters to restrict network traffic from and to network 
nodes, which leads the examiner to believe that the mechanisms recite above 
are present in Ylonen et al. invention. 

26. Even if Ylonen et al.'s invention did not utilize a filter detection system to 
decide whether there are any IKE traffic permit filters present on the firewall, 
and to allow the IKE traffic if the permit filters were not detected, it would have 
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been obvious to one of ordinary skill in the art at the time of applicant's 
invention to implement such a mechanism into Ylonen et al's invention in 
order to ensure that only data conforming to established policies flows from 
and out of an organization. 

27. Claims 2-26 and 27-31 are rejected under 35 U.S.C. 103(a) as obvious over 
Ylonen etal. (U.S. Patent No. 6438612). 

28. As per claims 2 and 6, C3 and Ylonen et al. teach that any of the 
communicating devices can be a firewall (col. 5 lines 42-45) C2,6,. 

29. As per claims 3 and 7 firewalls, once set up, work automatically C3 and it is 
inherent that a traffic management system implementing IKE traffic must have 
entries that identify the connection between nodes, IP address of connected 
nodes and security associations for the VPN connections. Also, given the 
fact that it is old and well known in the art that tables are used to store 
information (e.g. ACL, DNS entries etc.) it would have been obvious to one of 
ordinary skill in the art at the time of applicant's invention to employ tables to 
store the IKE traffic entries for motivation of a quick access to the information 
C7. 

30. As per claims 4, 6 it is implicit that the security association must occur on 
sending and receiving nodes in order to establish a VPN connection. 

31. As per claim 5 it is well known in art (as pointed out by applicant on page 15 
lines 7-8 in relation to Fig. 4) to "extend" an already existing VPN connection. 
It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to extend the VPN connection (guide the refreshing IKE 
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traffic outside of the VPN connection). One of ordinary skill in the art would 
have been motivated to perform such a modification in order to extend 
connection security, especially when a client connects to an organization 
through an ISP connection, wherein the ISP is not part of the organization. 

32. The "extended" connection also reads on a nested VPN connection. 

33. As per claim 8 a station must keep security association for each VPN 
connection that the receiving station utilizes to communicate with other 
parties. 

34. Claims 9-26 and 28-31 are substantially equivalent to claims 2-8; therefore 
claims 9-26 and 28-31 are similarly rejected. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is 
(571 ) 272-3840. The examiner can normally be reached Monday through 
Thursday from 9:00 a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 
3:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on (571) 272-3838. The fax 
phone number for the organization where this application or proceeding is 
assigned is (571) 273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866- 
217-9197 (toll-free). 
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